0033017: Mantis version visible in REST API request headers even when $g_show_version is OFF - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0033017	mantisbt	documentation	public	2023-10-15 06:51	2023-10-31 16:32

Reporter	dregad	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.3.0
Target Version	2.26.0	Fixed in Version	2.26.0

Summary	0033017: Mantis version visible in REST API request headers even when $g_show_version is OFF
Description	The REST API always returns the MantisBT version in the `X-Mantis-Version` header, regardless of the value stored in $g_show_version config $ curl http://example.com/mantis/api/rest/ -I HTTP/1.1 404 Not Found Date: Sun, 15 Oct 2023 10:48:19 GMT Server: Apache/2.4.57 (Unix) OpenSSL/3.1.3 PHP/7.4.33 X-Powered-By: PHP/7.4.33 Set-Cookie: PHPSESSID=mlr1mfkjl8h4dtaoqlo2qjeta5; path=/mantis; HttpOnly; SameSite=Strict Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Last-Modified: Sat, 14 Oct 2023 16:12:35 GMT X-Mantis-Username: anonymous X-Mantis-LoginMethod: cookie X-Mantis-Version: 2.26.0-dev Content-Length: 890 Content-Type: text/html;charset=UTF-8
Additional Information	Originally discussed in 0032980:0068159
Tags	No tags attached.

dregad 2023-10-15 07:14 developer ~0068213	Transcript from internal discussion on the subject Tue, Oct 3, 2023, 10:31:02 - dregad: is there a good reason for not hiding the X-Mantis-Version header when `$g_show_version` is OFF ? (for background, see 0032980:0068159) Wed, Oct 4, 2023, 02:46:05 - vboctor (Victor Boctor): The version is important when you are programmatically accessing Mantis since depending on the version the set of APis and functionality available will be different. It is also part of the contract. I think of show version not as avoiding information disclosure but as a UX config indicating whether to show it in the footer or not. I think we should just clarify this in the config documentation. Wed, Oct 4, 2023, 09:15:35 - dregad: a UX config indicating whether to show it in the footer or not I agree it's just security through obscurity that does not achieve anything in terms of hardening a system, but regardless I think this is a decision that should be left to the admin, especially considering that this information is transmitted even if anonymous access is disabled and without the need for an API token Wed, Oct 4, 2023, 09:55:46 - vboctor (Victor Boctor): If someone knows a security gap they will just try it out. If login approach is to change the version would be useful even before clients having a token yet. It is important to have integrations not be impacted by inconsistencies because of random decisions.

dregad 2023-10-15 07:16 developer ~0068214	Based on this discussion, this issue is basically a won't fix. I'll commit a documentation change to make it clear that version can always be retrieved via REST API if enabled.

dregad 2023-10-15 09:00 developer ~0068215	Changing category to documentation

PR_CSO 2023-10-15 12:01 reporter ~0068219	Hi all, please note that the version is displayed also if the API are NOT enabled. I think that this circumstance make it a little worst.

PR_CSO 2023-10-15 12:08 reporter ~0068220	curl -kis http://localhost/mantisbt/api/rest/ HTTP/1.1 401 API token required Date: Sun, 15 Oct 2023 16:06:54 GMT Server: Apache/2.4.52 (Debian) Set-Cookie: PHPSESSID=ukcnd48i76p4vegpqg67n9ov1l; path=/; HttpOnly Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Last-Modified: Tue, 11 Apr 2023 22:55:08 GMT X-Mantis-Version: 2.25.7 Content-Length: 0 Content-Type: text/html; charset=UTF-8 It allows an unauthenticated user to identify the exact version (fingerprinting), no matter if API are enabled or not (in my installation are disabled).

dregad 2023-10-16 08:53 developer ~0068224 Last edited: 2023-10-16 09:08	the version is displayed also if the API are NOT enabled. This is wrong. I'll look into it (see 0033019).